What Are the Threats?
One of my favorite quotes is from Sun Tzu's The Art of War:
If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also
suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every
battle.
To this end, it is not good enough to merely know what a firewall does or how a firewall
works. You need to understand the threats that exist, to ensure that you can effectively
protect your environment from the threats.
Threats that most IT organizations need to deal with include the following:
• Targeted versus untargeted attacks
• Viruses, worms, and trojans
• Malicious content and malware
• Denial-of-service (DoS) attacks
• Zombies
• Compromise of personal information and spyware
• Social engineering
• New attack vectors
• Insecure/poorly designed applications
Targeted Versus Untargeted Attacks
On the surface, the difference between a targeted and untargeted attack may seem pretty
unimportant. As the saying goes, an attack is an attack, regardless of source. While in the
midst of an attack, whether the attack is targeted or not may fall down the list of
priorities. However, it is important to define the difference because it could impact the
ultimate level of response required to address the attack.
Untargeted attacks are attacks that are not directly motivated by the resources being
attacked. In other words, the attacker is not necessarily being motivated to attack your
resources, as much as the attacker is probably trying to gain access to any server that
might be susceptible, and your server just so happened to fall in their sights. This is a

common attack method for defacement-style attacks. In many cases, the attacker has not
chosen to target your website because you own it, as much as they are trying to find
websites running on certain versions of web server software, and you just so happened to
be running that web server software. As a result, untargeted attacks typically do not have
as much effort and motivation behind them and can be easier to defend against than a
targeted attack is. In many cases, merely dropping the malicious traffic is enough to
effectively defend against an untargeted attack and cause the attacker to move on to
easier hunting grounds.
Targeted attacks, on the other hand, present an additional twist to the attack. For
whatever reason, the attacker is interested in the resources and data you have, and has
made a conscious and concerted effort to try to gain access to those resources. This
makes a targeted attack of more concern than an untargeted attack, because in general it
means that the attacker is going to continue to attempt to gain access to those resources,
despite your efforts to protect them. Therefore, you must be even more vigilant in
attempting to stop and ultimately catch the attacker so that the legal authorities can take
the appropriate action. Indeed, if you suspect that your environment is under a targeted
attack, it is a good idea to get the authorities involved sooner than later, because often
attackers will not stop until they have been locked up by the appropriate legal authorities.
Viruses, Worms, and Trojans
It seems like as long as there have been computer systems, there has been someone
willing to make malicious software to attack them. Although the terms virus, worm, and
trojan are often used interchangeably to refer to malicious software, each term has its
own distinct qualities and attributes that you need to understand.
Viruses are pieces of malicious code that typically are attached to legitimate software.
For example, an attacker might make a game for use on a computer that includes the
virus code as part of the game code. As the game is passed from computer to computer,
typically through user intervention such as e-mail or sharing discs, the virus is able to
spread, infecting computers that run the game software. Viruses have differing degrees of
severity, ranging from merely annoying messages and content, to destructive code
designed to erase or otherwise cause the loss of data or system functionality. The key

attribute to a virus is that it cannot execute and spread by itself; it requires user
intervention to allow it to function and infect other systems.
Worms are similar to viruses (sometimes even considered a subclass, or evolution of the
traditional virus), with one major difference. Worms are self-replicating and can spread
and infect systems with no help from a human user after they have been initially
unleashed. In many cases, worms take advantage of system exploits in their propagation
process, utilizing the exploit to allow the worm to infect a new system. Another common
method of propagation is to utilize the e-mail client on an infected host to e-mail the
worm to additional targets. This nature of a worm allows it to be much more devastating
than a traditional virus because an infected host can effectively spread the infection to
hundreds of thousands of systems at once, allowing the spread of the worm to grow
exponentially after the initial host has been compromised. This propagation can be so
disruptive as to actually cause an inadvertent denial of service against resources in some
cases. For example, Code Red spread by attempting to connect to a large number of
remote hosts, which in turn caused the routers connected to the networks that those
remote hosts resided on to issue a corresponding amount of Address Resolution Protocol
(ARP) requests in an attempt to connect to the remote hosts. Because of the sheer
quantity of requests and the nature of how ARP functions (ARP is covered in more detail
in Chapter 3
), many routers were unable to handle the sheer volume of traffic and
therefore stopped being able to forward legitimate data.
Trojans take the idea of malicious viruses and worms to a new level. Rather than
functioning as a virus or worm, the objective of a trojan is to appear as a piece of useful
software that has a hidden function, typically to gain access to the resources on the
infected system. For example, many trojans will install back-door software (such as
BackOrifice) on the infected system, allowing the designer of the trojan to be able to
connect to and access the infected system.
Viruses, worms, and trojans can be difficult to defend against using firewalls alone, and
generally require either the integration of virus-scanning software on the firewall itself or
the use of third-party products in conjunction with a firewall.

Malicious Content and Malware
Malicious content is simply data that was written with a nefarious purpose in mind. In
most cases, malicious content requires the user to undertake some action that allows the
protected system to be exposed to the content. This action may be accessing a website or
simply viewing an e-mail that contains the content. The users, by virtue of the fact that
they undertook the risky action, inadvertently allow their systems to become
compromised by the malicious content. Often, the malicious content is active scripting
functionality that allows arbitrary code to be executed by the client web browser or e-
mail client, thus allowing the malicious content to perform functions ranging from
accessing/destroying client data to installing viruses, worms, trojans, back doors, or just
about any malware (malicious software) the attacker desires.
Malware (malicious software) simply builds on the basic premise of malicious content
and includes any software that has a nefarious purpose in mind. Malicious software
includes software such as viruses, worms, and trojans, although those three types of
malware warrant their own distinct discussions because of the specialized nature and
impact of each.
Unlike most threats this book covers, malicious content and malware generally requires
the user on the protected network or resource to purposely or inadvertently perform some
action to allow the content to be executed. As a result, protecting against malicious
content and malware frequently requires the firewall to be able to monitor and control
traffic that may originate from a protected network or host, typically through the use of
egress filters on the firewall itself and content-filtering software used in conjunction with
the firewall.
Denial of Service
A DoS attack entails a threat that simply prevents legitimate traffic from being able to
access the protected resource. A common DoS is one that causes the services or server
itself to crash, thus rendering the service being provided inaccessible. This attack is
commonly done by exploiting buffer overflows in software and protocols or by sending
data to the host that the host does not know how to respond to, thus causing the host to
crash.

A variant of the DoS that has gained traction and is much more difficult to protect against
is the distributed DoS (DDoS). With a DDoS, the end purpose is the same, but the
method of attack differs. DDoS attacks typically utilize thousands of hosts to attack a
target, thus increasing the amount of traffic exponentially. The objective of the DDoS is
to overload the target with so many bogus requests that the target cannot respond to
legitimate requests. Consequently, the difference between a DoS and a DDoS is generally
the number of hosts engaging in the attack and the fact that the attackers are distributed
across these systems as opposed to attacks coming from a single attacker. In fact, many
DDoS attacks are nothing more than a DoS that is being executed on a much larger scale.
One well-known method of performing a DDoS is what is known as a SYN flood. A
SYN flood in and of itself is not necessarily a DDoS. A SYN flood functions by
presenting a target host with thousands of connection requests that are not allowed to
complete successfully. The target must wait a determined amount of time for the
connection to be successfully completed, thus utilizing network traffic buffers to store the
partially created connections. When these buffers fill up with these partially created
connections, the target can no longer accept new connection requests, and therefore
begins dropping new traffic. What makes it particularly potent as a DDoS attack,
however, is when thousands of hosts undertake the SYN flood, thus exponentially
increasing the amount of traffic the targeted host must deal with. If one host attempts a
SYN flood, it might not be able to generate enough connection requests to cause the DoS,
but when 1000 (or more) other hosts join in, suddenly the targeted host can be quickly
become inundated. Another method of performing a DDoS is to simply saturate the target
with so much data, legitimate or otherwise, that the amount of traffic exceeds the capacity
of the network bandwidth. This type of DDoS is particularly difficult to protect against
because by the time DDoS traffic is on the network, it is already too late to stop it. The
only effective way to protect against this type of DDoS is to rely on an upstream partner
with more bandwidth than you have to filter the malicious traffic prior to it traversing
your network segments. More mundane forms of DoS, particularly a DoS that attempts a
SYN flood, can be protected against by implementing the appropriate rules on the
firewall.

Zombies
Zombies are systems that have been infected with software (typically trojans or back
doors) that puts them under the control of the attacker. The zombies can then be used at
some point in the future to launch an attack, frequently a DoS attack against the ultimate
target of the attacker.
The most effective way to protect against zombies is to prevent a system from being used
as a zombie in the first place. You can do so by implementing egress filtering (filtering of
traffic from a protected network) at the firewall as well as content filtering to ensure that
even if a system is somehow turned into a zombie, it cannot be used to execute the final
attack. In this sense, it is the responsibility of the firewall administrator to not only ensure
that the firewall protects the organization's resources, but also to ensure that the firewall
protects others from the organization's internal systems.
Compromise of Personal Information and Spyware
Personal information, in particular financial information, is the holy grail of many
attackers. With that information, an attacker can either use or sell the data to someone
who will use it to engage in all sorts of financial-based frauds. Literally millions of
dollars of fraudulent purchases are made every year using personal information that was
obtained illegally.
Financial information is only one component in the compromise of personal information.
Another risk is the compromise of private medical data. This information, if made public,
could result in people being illegally discriminated against. For example, an insurance
company that has full and unfettered access to a patient's medical data might not be
willing to insure the subject.
The compromise of personal information has led to a slew of legislation, the most well
known being the Health Insurance Portability and Accountability Act of 1996 (HIPAA),
which requires companies and organizations to take steps to ensure that personal
information is not exposed to unauthorized access. From a corporate perspective, this
means that the systems that collect this kind of data need to be insulated and protected to
ensure that only authorized access to the data is permitted. The penalties for failing to
protect personal information range from legal penalties to the loss of business and trust

from the users of your systems.
A variation of the compromise of personal information is the compromise of proprietary
or confidential information of a company or organization. This compromise could include
the loss of source code or trade secrets as well as more mundane items such as company
strategies and future business initiatives, allowing your competitors to gain an unfair
advantage in business operations and competition.
In all of the previous methods, firewalls can be used to segment and isolate the critical
systems, allowing greater control over who and what types of access to the protected
resources will be allowed.
The compromise of information is not restricted solely to the realm of business.
Individuals also risk the loss of their personal information through the use of malicious
software such as spyware. Spyware functions in many ways like a trojan and allows the
designer of the spyware to track everything from what websites an individual frequents to
the purchases (and potentially the credit cards used) that the user makes. Spyware is
much more difficult to control using network firewalls because in most cases the spyware
is distributed throughout the environment. Many personal firewalls have included
spyware-detection and -removal functionality as a component of their firewall suite,
however, and therefore these can be an effective solution to the problem of how to protect
personal information on a local computer.
Social Engineering
Whereas brute-force hacking a system gets all the sex appeal, social engineering is the
surgical strike to the carpet-bombing mentality of a traditional hack. Social engineering
attempts to compromise what is often the weakest link in an organization's security, the
wetware (or people).
A social-engineering attack typically involves attackers attempting to pretend to be
someone they are not, sometimes a user in need of help, sometimes an administrator
attempting to help a user in need, and then trying to get the information they need from
their target. For example, someone might contact users asking whether they are having
any computer problems (most all users have some problem). The attacker might then
seem to be trying to help the users troubleshoot the problem by asking them their

password so they can attempt to log in as the user and see whether they experience the
same problem. If a user provides that password, the attacker can then attempt to use it to
gain access to other resources. Let's assume that your virtual private network (VPN)
requires user authentication. With this information, a remote attacker might then be able
to successfully log on to your VPN concentrator, and thus gain access to the internal
network.
Because of the nature of a social-engineering attack, all the firewalls in the world will not
do anything to prevent the attack from being successful. Rather, the best defense against
social engineering is a well-trained user community and staff (you would be amazed at
how many IT administrators will turn passwords over to a "service provider" trying to
help troubleshoot a problem) that knows what is and is not acceptable information that
should be shared either over the phone or in person.
New Attack Vectors
A current buzz is the threat of the zero-day event or exploit. The zero-day event is a
security vulnerability that is exploited on the same day it is discoveredbefore vendors can
respond with the appropriate patch or solution. Although the zero-day event has not
happened yet, the time between when vulnerabilities are discovered and exploited has
continued to get shorter and shorter.
The decreasing time from vulnerability to exploitation presents a problem because most
technologies today take a rather reactionary response to attacks. As new vulnerabilities
are discovered and published, vendors often must figure out the solution and attempt to
deliver it before the attack is attempted. During this time period, after a vulnerability has
been discovered but before a solution is available, systems are completely vulnerable and
susceptible to attack and exploit. As an administrator, the only effective way to deal with
new attack vectors is to ensure that you have an aggressive
p
atch management solution in
p
lace, and that you apply patches and access control rule updates in a timely fashion, thus
reducing that period of vulnerability.

Insecure/Poorly Designed Applications
The ugly truth that few software vendors want to admit is that a sizeable number of
successful attacks result from insecure and poorly designed applications. In some cases,
the application was designed well at the time, but the times changed and the application
did not. In other cases, the application is just badly designed and implemented.
Regardless of the reason, insecure and poorly designed applications are one of the most
difficult threats to address. Unfortunately, we are all at the mercy of the software vendors
to patch their systems; if they have not or will not undertake this, the best we can do is
attempt to work around the insecurity or design flaw, or use a different vendor's products.
Application proxies can be an effective solution to this problem, because the application
proxy can typically be configured to recognize malicious traffic that attempts to exploit
the application insecurity, and thus protect the system running the insecure application.
Another potential solution is to use the firewall to prevent connections to the vulnerable
system that are not necessary for the system to perform its job. For example, if the
protected system is running a web server that is insecure, but the web server does not
need to be accessed from an external source, you can configure the firewall to prevent
access to the web server, while allowing access to any other applications the protected
system is running.